Posted
by
Roblimo
on Tuesday November 09, 1999 @09:30AM
from the nosing-around-in-student-files dept.

PresOdent writes "Carnegie Mellon University cut off network access to 71 students who allegedly put some copyrighted mp3s on their sites on the university's computer network. The university said it discovered the copyright violations last month, when it conducted surprise inspections of student computer files at the order of the Recording Industry Association of America. Read the article from the Chronicle of Higher Education for more info."

Word on campus [rpi.edu] (RPI) is that some kids lost Network Access (temporarily) for posting copyrighted movies. Most everyone shares MP3s (many people have password-protected their folders now) but nothing has happened to them.

If another RPI student could verify this, it'd be appreciated. I know plenty of them cruise slashdot.

If these were live sites... they were published works. If I'm not mistaken actions like this could easily be countered under the Personal Privacy and Electronic Communications Provacy Acts. Of course, IANAL...

As far as I can tell from reading the article, these 'surprise inspections' just meant a quick check of the users' public html directories; the abstract definitely gives a feel of a knock on the dorm room door or the like. Nonetheless, I guess the day of the 'stern warning' is over./me makes a note to be more paranoid in the future.

I agree the students should be punished. It is against the usage guidlines set in CMU's computer policy. Acordingly they should lose the privlige (not right) to use those computers. But I think it could've been done better. Like an email to all students "we will be seraching the disks for any mp3's soon. This will be considered a violation blah blah." Then do it. Again and again. Not just to suddenly do it. I also have a problem with the RIAA saying they will sue CMU. Again the idea that CMU must police its student's pages is not something I like. I would agree that the RIAA has the right to sue those students though. And yes I know this will probably be an unpopular opinion in many regards. -cpd

CMU has historically been very skittish about copyright violations. When I was in school there, they dropped a number of Usenet groups because they alleged that the majority of the posts to them contained illegally copied material. They've also been more than willing to pull the accounts of students whose machines are used to attack other machines. None of that should really be surprising, though; it is, in point of fact, illegal to copy mp3s of copyrighted material and since CMU long ago abandoned any pretense of being a common carrier they would be opening themselves up for legal troubles if they didn't cut of access to copyrighted material once it were found. The only troubling thing here--and it is quite troubling--is that they conducted inspections "at the order of" the RIAA. That could mean either that the RIAA said "we've seen evidence that machines X, Y, and Z have illegal mp3s on them" and CMU looked and verified that, or it could mean the RIAA siad "lots of CMU students have mp3s, why don't you look and see which ones". The first is IMO acceptable and in accordance with how law enforcement would act to comply with search and seizure restrictions. It's probably required to comply with the law, though IANAL. The second is rather heavy-handed, especially for an institute of higher learning. I am not a lawyer. This is not legal advice.

This isn't something new, really. At the University of Maryland, College Park, they have been cracking down (or trying to) on the distribution of MP3s and pirated software for years. Unfortunatly, their detection has been rather limited, since all they really look for are student machines using significant bandwidth, which, in of itself, isn't proof of wrong doing. What you'll find on these college campuses, however, is a staff of people who enforce these "Acceptable Use Policies," and these staffs are usually made up of beaurocrats, and not techies. You are usually tried, convicted, and sentenced on even the most circumstancial of evidence. Hell, I know someone who got kicked out of Resident housing over LEGAL MP3s. And when the more serious network intrusions take place, they do it based on your IP address. It doesn't matter if your machine is owned, your IP hijacked, or the address simply spoofed. Basicly, there's a new kind of fascist in town. While they may not be smart enough to catch you, they may accuse you anyway and run you through. Be careful.

Could this be an invasion of privacty issue? I did not read the article so I do not know weather these were students personal computers or weather these were university computers. If they were university computers then I could see this as a selfprotection issue.

However this is a good example of what is going to happen in the future of computing and the future of privacy.

More and more there is a push for server side computing. Server side data storage, and server side everything. They keep all your information in various databases, yes even the portols do this. So when all your emila and all your files are kept on a remote server somehwere, who is there to stop them from telling you what you can store and what you cannot store? Maybe I have seen to many episodes of 'the net' but there may soon be a day when your whole life and all your info is on the web, and sys admins will always be able to access this information.

Yes, if you're going to distribute MP3s, do it among friends, don't post them publicly. However, if the sites that were taken down were anything more than "My First Home Page(tm)" the students can contest it very easily. Asking someone to remove potentially illegal material from one's site is one thing, but denying them access altogether is another. I'd like to see what it says in their "Terms of Service" file...-- Chris Dunham http://www.tetrion.com/~chameleo/index.html

I don't see the problem. When I was at university they would search our home directories for stuff like password cracking tools and portscanners and so on. Big deal. It's their network, and their hardware, and their software.

I've got no time for college kids running warez sites (albeit music warez not software warez).

What's really strange is that if they go to some lame copyright seminar they get a lenient punishment. This smacks of the kind of enforced education (I use the word loosely) increasingly popular in the US as a way of treating young people of apparent delinquent behaviour. Very odd. At UCL we lost our accounts, full stop, for serious breaches of the rules. If that meant you couldn't complete your CS course then you were in big trouble.

The article brings up, offhand, a bit about privacy concerns. However, since these files were publically available over the school Intranet, that doesn't really apply. Now, I am completely against anyone monitoring my net usage, but when you post illegal content on a school site, they have a right to take it down, and I think CMU acted well here - no harsh punishments, no overreactions, just logical punishment that is fair.

What worries me a lot more than CMU is the fact that the RIAA is forcing colleges to monitor content for compliance with their "rules." Since when can the RIAA enforce laws? Especially since the article doesn't say whether the songs were ripped by those posting them (legal, as long as no one who doesn't own it downloads it!), or which songs were available. Hmm....

I agree with you in principle. I am a CMU student who didn't lose network access. And I support the actions of Computing Services. If RIAA had to do it, the school's ass would be on the line.

What raised the ire of many of the students (and prompted the action of the Student Senate, and other groups [such as the Student Dormitory Council]) was the violation of Computing Services's own guidelines. By guessing passwords (even if they were easy ones), they were not observing their own privacy statements.

In addition, students with legal MP3s were shut off. Also, students did not receive advance notice, nor did they receive adequate explanations of the actions taken.

They have on their dorm door, "movies for sale or trade." So I think that they deserve to be smacked. Advertising that you have illegal copies of SouthPark, Star Wars, and others. Freshman are just too damn stupid.

Now their network access is obviously the school's, and subject to their terms. Admins can watch what goes into and out of a box, but is it really legal to "search" their computer? That sounds like definate search and seizure, which I thought couldn't be done without a warrant, definately not done just because a record company wanted you to.

You really won't get busted for what you leave open with Microsoft Networking. Usually, these people don't want to leave their desks, and aren't technically proficient. They watch for IP based traffic that actually passes to/from your Resident Hall's subnet. Now, if you piss off enough people that a dozen or so complain, well then, they may look into it.:) Otherwise, nada.

First, tehschool should not punish students on behalf of another entity. The offended groups should sue the students if they think they can win. My advise for these students: take the 90 minute class and get some free webspace from Yahoo, Netcenter or GeoCities or whoever and post your mp3s there.

While I am annoyed with those who insist on using mp3 as a method of propogating warez music and giving the rest of us a bad name, who simply want open standards and convinient fair use of the music we have purchased, I must say I find the notion of universities becoming a collective police force for the RIAA more than a little disturbing. When I was in college we all shared cassette tape recordings of music we couldn't afford to buy. This story calls to mind images of University employees and RAs entering dorm rooms, spot checking tape collections for illegal tapes.

While what we did as students was not strictly legal, it was pretty damn harmless. I suspect the RIAA has made a great deal of money on each and every student who did this in college, as nearly all of us have no doubt moved on to buying CD's (and some of us going the extra step and ripping them into mp3 format for convinient access on our hard drives).

I don't approve of what the students did, especially if the files in question were in areas with public access, which being on a web page implies. If they were running warez sites for the world to steal from, then shame on them. But if they were simply exchanging files among themselves, for their own use, then shame on the university and the RIAA for swatting a fly with a sledgehammer.

I once considered making my mp3 collection available *to myself only*, via 128-bit encryption and password authentication, on my web page so I could listen to my music anywhere in the world, without lugging cdroms around. I opted out, as explaining that subtle but critical difference -- the difference between fair use and piracy -- is not something I wanted to do before a judge, especially with the extreme presumption of guilt when the phrase "made his mp3 collection available on a web page" is uttered. While these students probably weren't doing this, can anyone be certain based on the article as written?

No matter how one slices this story, one thing is clear. Even the limited privacy we enjoyed as students even a few short years ago appears to have been vastly more sacrosanct than whatever it is students have now (calling it privacy would be a farce of the worst kind, I'm afraid).

The university said it discovered the copyright violations last month, when it conducted surprise inspections of student computer files at the behest of the Recording Industry Association of America.

If I was the head of a univeristy I wouldn't listen to the RIAA, even if they threatened to sue, because they could only bring legal action upon the students. It would be like if I hacked slashdot and put up an mp3 ftp site. The RIAA couldn't prosecute Rob or Hemos. They would find an prosecute me. People are so afraid of the RIAA. If I were in their shoes I would only listen to law enforcement officials.

Standford revoked many people's access for running Linux last year.. but people easily go arround it by running port scan detectors. I think serious people will just move to that sort of system now, i.e. deny access to all on camopus computer execpt ones that lie in blocks wired to dorm rooms. This creas an interesting idea: I wonder how easy it would be to keep an updated list of RIAA and co. IP blocks? I know they can always get a short term dialup account, but that can not be as efficent as looking for people from their own systems. Any ideas?

It will take a little more work to make Piracy really safe for the windows users, but most of the time the people looking for piracy don't check out SMB shares anyway.

Speaking of making piracy safe, here is an interesting idea: use a daemon (using a random port selected at install time and automatic portscan detector) to create a network were each person's computer shares it's list of MP3s but only talked to their friends systems for everyday sorts of contact (well execpt for actually transmitting the MP3s). Sorta like an old BBS style network.. execpt with no global network map. This could go a long way to making it impossible to effectivly bust pirates. I mean they could always go after the one guy who was pirating a specifi thin (like a movie) but it would be uneconomical to just go take out the popular since every site would be equally popular and tere would be no way (short of DLing all the MP3s on the network) to KNOW that you had them all. just a though..

Maybe I'm naturally oversensitive, or maybe someone just slipped me decaf coffee this morning, but we all have an obligation to stand up together and forcefully oppose Carnegie Mellon University's uneducated reinterpretations of copyright law. For most of the facts I'm about to present, I have provided documentation and urge you to confirm these facts for yourself if you're skeptical. How can we expect to help you reflect and reexamine your views on Carnegie Mellon University if we walk right into Carnegie Mellon University's trap? A necessary first step towards recovery is to look at Carnegie Mellon University with new eyes, unclouded by a lifetime of false information and deception propagated by the most choleric perverts you'll ever see. According to Carnegie Mellon University, anyone who points this out is guilty of spreading lies, smears, and racism -- an instructive warning for the future.

I once had a nightmare in which Carnegie Mellon University was free to usher in the beginning of a disrespectful new era of parasitism. There is absolutely nothing these foul-mouthed diabolic-types will not do to destroy their enemies. They will poke into the most secret family affairs and not rest until their truffle-searching instinct digs up some deplorable incident that is calculated to finish off their unfortunate victim. It is easy to see from the foregoing that I take seriously the view that just because you can do something does not mean it's okay to do it. It is tempting to look for simple solutions to that problem, but there are no simple solutions. I don't know when obscurantism became chic, but we can never return to the past. And if we are ever to move forward to the future, we have to indicate in a rough and approximate way the two snooty tendencies that I believe are the main driving force of modern Marxism.

I respect Carnegie Mellon University's criticisms, although it got into a snit the last time I pointed out that the truth of this is by no means limited to the field of general culture, but applies to politics as well. If there is one thing I have learned, it is this: you don't need to look far to see that Carnegie Mellon University continuously seeks adulation from its cronies. Apparently, some of Carnegie Mellon University's wishy-washy tirades are so self-contradictory, they're their own refutation. If a new Dark Age is about to descend upon us -- as many believe it will -- it will be the result of Carnegie Mellon University's writings.

After all, if we submit to Carnegie Mellon University's definition of "hexosemonophosphoric" and become unscrupulous, we have lost the war for self-preservation. Unsettling as that is, the more infuriating fact is that if Carnegie Mellon University is allowed to burn books, the implications can be widespread. I have just one word for Carnegie Mellon University: transubstantiatively. If saturnine ignoramuses can one day replace the search for truth with a situationist relativism based on acrimonious alcoholism, then the long descent into night is sure to follow. By now, we are all more than familiar with Carnegie Mellon University's unpleasant deeds. Let me explain. Outrage pounded in my temples when I first realized that Carnegie Mellon University wants to hijack the word "ultraphotomicrograph" and use it to destroy the values, methods, and goals of traditional humanistic study.

Carnegie Mellon University's stratagems have grown into an intemperate tapestry weaving together classical conspiracy theories of the 19th century and post-Marxian economics. It's my hunch that Carnegie Mellon University uses the term "theoanthropomorphism" with ostensible confidence that its meaning is universally understood. Notice the raucous tendency of Carnegie Mellon University's bons mots. This is kind of a touchy subject to some people. Speaking of abominable imbeciles, no one of any intelligence believes that anyone who resists Carnegie Mellon University deserves to be crushed. Human life is full of artificiality, perversion, and misery, much of which is caused by the worst types of immoral riffraff I've ever seen. And that's the honest truth.

The article seems to state that all of these searches were done by checking the contents of ~/public_html files on University owned servers. While it may have been a bit surprising for the University, given the choice between slapping 71 students on the wrist or potentially having a very expensive lawsuit from the RIAA, well, it doesn't take a rocket scientist to figure out which is the better idea.

If you're a CMU student and want to rebel against it, just fill up your public_html with mp3's generated with dd if=/dev/zero of=bjork-its_too_quiet.mp3 or dd if=/dev/random of=foo_fighters-random_mumblings.mp3. Civil disobedience is mighty effective.

Remember though guys, music is copyrighted and if you're listening to something then you like it enough to buy it. Most of the professional musicians I know are scared of mp3 due to the massive piracy which currently occurs in that medium. I'm not an mp3 fan, but I'd like to see the format legitimized. Let's hope this kind of thing doesn't give the record industry excuses to charge me even more per disc.

They were LESS liable for the behaviour of their students BEFORE they started snooping. Now that they've set a precedent of editorial control over content on their network, they will have to keep monitoring for and removing copyright violations (or potential violations, or libel, or obscenity, or any other forbidden-speech-du-jour) from now on.

I think college students (me included, at one point) tend to forget that the super-fast network access is a priviledge of being at college and not a friggin' right! If most universities have a `privacy policy', I don't think they're going to have any qualms about looking at files stored on their own hard drives to check there's nothing illegal there. Even looking at `public' files on students own boxes wouldn't surprise me; it's their network after all.

I'm lucky and can have my Linux box on-line 24/7 from the comfort of my bedroom; nobody demanded my root password as a condition of providing this service so I think I'm fairly lucky. But I do know damned well the Computer Services people run probes on the contents of anonymous FTP servers and regularly look for other network `weaknesses' on students' boxes.

So I hardly think this is an invasion of anybody's privacy, only a few stupid students who didn't hide their illegal activities a bit better; playing the invasion-of-privacy card just doesn't work here. In fact they've only been cut off for the rest of the semester; pretty lenient all in all.

The state of our legal system is not such that they can afford to risk it. They DO face liability for allowing mp3 sites to run which they're made aware of. Furthermore, trading of copyrighted mp3s like that is still technically illegal, and the college does have a certain obligation to minimize it, especially when they can do so with so little effort.

I'm no lawyer, but I don't know how true this is. As a network admin, I am responsible for everything that is on my network. If someone has access to something they shouldn't, it's my fault. If someone is misusing my network, it's my job to track it down, and put a stop to it. Look at it like this: If you hacked slashdot, and put mp3's up, yes, you would be liable. BUT, if Rob and Hemos found your MP3's and kept them up, they would be responsible as well. Aiding and abeding...

Over here at Univ. of Michigan, the engineering computer support team has justed released it's first version of "Blue Hat", a Red Hat derived Linux distrubtion with additionaly functionality for some of the networking features here on this campus (AFS, Kerberos, etc).

Did the school ever prove that the students were actually distributing music they didn't have permission to distribute? Or did they not bother? It's a scary thought to think that perhaps the RIAA simply told them that there were illegal activities going on and the school simply took their word for it. How many innocent students were punished?

I work for the networking department of my school, where I have a much faster computer than my own at home and a very fast link. So that's the computer I rip and encode my cds on so I can listen to music all day. Am I going to get fired because the filenames are publicly viewable?

I also often download mp3s -- the legal kind. Some of my favorite bands at least allow one or two mp3s to be freely distributed (often bootlegs). These files I'll even put in a publicly accessable directory. Will I get fired for that?

Sometimes I download my mp3s to my machine at home. This is over a modem line, so it's not always feasible, but I still sometimes do it. Is it illegal to distribute copyrighted material to oneself? I'm waiting for the day some power happy administrator with a sniffer is going to turn me in for breaking the backs of the poor exploited American musical artist through the horrible act of listening to and supporting their music.

So how many students at CMU were only distributing mp3s legitimately? How many of them simply only had their own mp3s, but weren't technologically competent enough to make them private? How far did the school go to locate these files, and in contrast how far did they go to prove that these files were indeed illegal? I'm afraid I didn't see any of these questions answered in the article. Are there any other sources of information?

logan (eagerly awaiting RIAA to come to his school, though they probably have already)

"The distribution of programs and databases is controlled by copyright laws, licensing agreements and trade secrets. These must be observed."[1]

"The distribution of copyright protected materials is illegal and is in direct violation of the Computing Code of Ethics." "Users found to be distributing copyrighted music files will have their network connections revoked for not less than one full semester and may be subject to displinary action."[2]

>Where from that article did you get that the students' computers were being searched? The article clearly states that CMU "randomly checked >the public portions of 250 students' computer accounts". In no case, however, were system admins "illegally" searching through private >computers.

And, if you had read the previous comments, you would have realized that the article was wrong. All of the CMU students here (including myself) have pointed this out. ALL of the searched computers were private - I'm not sure where the article writers got the idea that 'student accounts' were checked.

The "illegality" issue is that Computing Services attempted to break people's passwords. This is a violation of the CMU Computing Ethics code, if nothing else.

is what i'd like to know. I know i own almost every album that my mp3's come off of. The only reason I spent so much time dl'ing them is that i do like to see if i'll like a song or a CD before i go and spend my money. I know there are lots of people out there who will just rack up the GB's with mp3's of songs they have no intention of buying, but i understood the current US law to say that if you have a legal recording you can copy it in as many different ways, as long as it's for your own use. So what if they put thm in shared directories, "oh hey, let's go to so-and-so's room to study, i'll share out my stuff so we can listen to it from over there". dunno, sounds like a big stink about nothing....

Greetings, I am a student at CMU right now and give you all the lowdown on what happened. Basically the CMU admin did a search to see which computers where ebign heavily downloaded from and such. They then did a sweep of the network checking a computers here and there. The looked at all directories not password protected, but also.. and here's why some students are upset. They guesses a few passwords as well. Now, they didn't go trying to hack into machines or anything, but they did try passwords such as "mp3" or "cmu" for directories labeled "warez" or "mp3" and such. Personally I don't really have a problem with this, it is illegal after all, I guess its just strange because its seemed so natural to go download things like mp3's that we've forgotten it's actually akin to theft. Thanks, Adam Steele Physics/CS Sophmore

As someone who works for CMU and knew about (but did not participate in) the crackdown, here's some more info on what happened:

Several staff members went through Network Neighborhood by hand. Any machines that had open folders with names that appeared to contain copyright violations were checked. Passwords that are "obviously" intended for sharing (like "mp3") were checked. If there was a README that said anything like "My password is...", and it appeared to be an invitation to share, it was checked.

A few students had only legal material, and when they pointed this out, their network access was quickly restored. Most of the students were only angry that they'd been caught.

This is a grey area, but the people who did the scan tried to make sure that they only went after people who were attempting to distribute music to people they might not know, which, if not illegal, is certainly a violation of CMU ethics.

As far as the passwords used, would you seriously argue that an ftp site wasn't open if the username and password were "ftp", and a README popped up before login telling you about this password? Passwords like "mp3" are the common way of saying "share and enjoy" around here, so it was considered public.

Common./'er reaction to this story: "What about the students' right to privacy?! They were violated...."

I guess people always like to play the "P" card because they have a vague understanding of their Constitutional rights against illegal search and seizure.....by the governent on their private property.

Now, when one private entity--a corporation or university--owns a resource such as a network, you can kiss privacy goodbye. Court cases, like it or not, have clearly established that employers have the right to go through your corporate email at any time for any reason or no reason if they so choose--it's their network resources and they can do with them as they see fit. Now if the Feds show up in the company lobby and wanna go through the mail server logs that's a different story altogether.....that's where I say the Constitution kicks in.

The same rationale could be applied to these kids at CMU--a private institution. The university owns and operates the network, and grants the university community priveleges to use it, not rights. The university is responsible to ensure that its network resources are used in an ethical and legal manner, so it is perfectly within its rights to go through any area of the network and look at anything it wants to with no notice, except for private student PCs. Password protected or not, the files resided on a private network.

Reality is that the letter of the law and political correctness usually differ greatly. Public policy follows opinions in a democracy, and when opinions collide we end up in court. Does CMU have a PR battle ahead over this to win the hearts and minds of "violated" students and armchair rights activists chiming in on./ and email from all over the world? Will they have a tough time attracting new freshmen because of their get-tough stance on MP3's? Maybe....but if they have the moral conviction to stand by their policies then it really doesn't matter.

I'm no fan of RIAA and their lawyers and scare tactics either....but they are doing what I'd expect them to do by aggressively protecting the cash flow of their artists.

Rationalize it all you want, it is still illegal to speed. The law is just another social contract. I agree to be contrained by rules because I then know others are similarly contstrained and this protects me from harm at the hands of others. So you speed, doing 70-mph in a 55-mph zone on an urban freeway. No harm, right? Well what about someone doing 45 in a 30 zone at a grade crossing on a snowy day? That 15mph difference could be the idfference between stopping successfully when the light changes and slamming into someone, killing them.

Speeding is not without consequences, even on the freeway. Because you are willing to take the risk on yourself does not mean that I, as another driver on that road, have agreed to take on that added risk.

I, too, exceed the speed limit somewhat in my desire to get where I'm going, but if I get pulled over and get a ticket its just my own damned fault.

While I love free software and am very upset about patents and their effects on programming freedom, I totally support copyright in all of tis forms. It is up to an author whether or not to sell or give away their creation. When you copy and share, you steal. Period. It may be a small crime, but you knew you were breaking the law. You have to accept the consequences. "Everybody does it" is not an excuse.

"A patriot is someone who gets a parking ticket and rejoices that the system works." -- Somebody clever whose name I can't recall right now...

Only Windows Networking (SMB) shares were subjected to the network sweep. As a result, any Linux, *BSD, or other shares were left untouched. In fact, by clicking on a person's URL in a Slashdot post (a NetBSD server) I was able to find a cache of MP3's and Warez that were completely ignored by Lerchey and crew.

Use Linux, or any non-SMB FTP server for that matter, and you can leech to your heart's content.

There seems to be a few misconceptions about why people are upset about privacy violations. I'm a CMU student (not one of those involved), and I really think that the journalistic slant is ridiculous. People, you simply have no idea what is going on from that article.

The article said that people were putting up MP3s on Web sites. Uh, no. The university network administrations conducted a sweep of *Windows shared drives* looking for MP3s. Plenty of people have shared drives. Sharing a partition of your drive so that you can use it around campus (like listening to your MP3s in a computer cluster) is not equivalent to posting them to a Web site. Furthermore, the university deliberately broke into some of the computers they examined. Some of the shares were unpassworded. I supposed I can at least understand the university being upset about this, if the shares were obviously intended for public access. However, if CMU found what they deemed to be "dubious" computers, containing *passworded* shares with a name like "MP3", "MUSIC", they started running a password guesser on the computer until they got in.

Now, I can at least see accessing public shares. If they weren't designated as "for public use", that's one thing. But guessing passwords is unforgivable. Quite frankly, if I started trying to "guess" root passwords to the network administrators' computers, I'd be kicked off the network. Evidently, the fact that our computers happened to be connected to the network gives the network admins an idea that they have a right to break into our computers. They broke into some of our *privately owned* computers, into *passworded* segments of our computer that were obviously *not* public. This is blatently illegal, and the fact that CMU would do something like this at the urging of the RIAA disgusts me.

The news article was flat out wrong, and heavily biased toward the RIAA. I'm not impressed.

This sets a chilling prescedent. If I can say that some sort of content on a computer connected to my network is "dubious", then I would evidently have some sort of legal right to break in to private computers. This is, in my mind, not acceptable. If I have a share named "warez", can the university then legally break into my computer? What about one called "software"? What about one called "private project for MIT" (i.e. research not being done for CMU)?

Quite frankly, I hope the CMU network admins get sued under every computer trespassing law available. If CMU can do it (a traditionally level-headed place), *anyone* can legally examine your private computer.

The funny part is, what they did is not technically illegal. I remeber several years agi a very prominent 'warez' site run out of MIT that had GIGS of things to download. When they pressed it in court, it was thrown out. Pirating is illegal, but happening to leave your cassette tapes out where people can copy them ISN'T..;-P

I'm also a student at CMU, a feshman in Electrical and Computer Engin. Network services did a little more than guess passwords and check unpassword protected files. They looked for text files in open directories and read them to find passwords. While this distinction on the surface means little, its implication is that they couldn't simply search the network for *.mp3, and it would also be difficult to impossible to write an algorithm to find passwords in text files. This means that for the duration of the search (which seemed to last at least 12 hours) there were people personally looking in every open drive. An I know from experience that they were dilligent. I was listening to my large library of illegal mp3s (well password protected of course) when I noticed it began skipping. I quickly unshared my public directory containing a couple of legal zips and right away my computer was back to normal speed. Network serviceswas dloading all my zips to search for a password! That, combined with guessing passwords amounts to a little bit more than checking unprotected stuff in my opinion. Admittedly, they could have packet sniffed passwords (thank you microsoft) and gone through many more boxes, but is that a real consolation? We shouldn't need encrypted passwords to protect ourselves from our own school.

What the Chronicle article fails to mention, or made factual mistakes with:

1) These files were NOT on student websites. They were on students' own machines shared via Microsoft Networking.

2) Many of the computers found "in violation" had their shares passworded. However, CMU tried to guess passwords when it ran into them. So if they could guess it, they considered it public access.

3) The uproar is not so much about the school trying to reduce mp3 sharing over their network, but the manner in which they did it. The CMU Computing Code of Ethics [cmu.edu] clearly states, "Every member of Carnegie Mellon has two basic rights: privacy and a fair share of resources. It is unethical for any other person to violate these rights...On shared computing systems, all user files and directories are considered to be private and confidential. Only files which a user has explicitly made public (e.g., by placing in a "public" directory) should be considered open for general access. Accessing and using files in another person's directory when not expressly permitted to do so by the owner is a violation of that person's privacy" The Code further states "Loopholes in computer systems or knowledge of a special password should not be used to alter computer systems, obtain extra resources or take resources from another person". Clearly what CMU has done, by going into folders not marked as public and guessing passwords has violated their own Code of Ethics. That has gotten a lot of people pretty upset. They followed the rules but lost access anyway.

4. The students affected could reduce the time they lost network access by a few weeks by going to a stupid "education" seminar to hear why copyright infringement is bad, and then write some paper along those lines. I think those that did that get their access back on Nov 14, or something like that.

5. Computing Services sent out an email to the student body giving their side of the event. You can find the text here [cmu.edu].

If you had a folder shared and they couldn't guess the password, if you said anywhere that you would give out the password upon request they killed your connectivity. Even if there was no copyright-infringing material there, but merely if it *seemed* that way! They simply assumed that there was if you said you would give out passwords like that. Of course no one would give passwords to Computing Services, so they couldn't check. For all the details check the Computing Services email message linked in my above post.

You're not telling the whole story. Recall that the password "guessing" was very limited -- "mp3", "password" were tried... as were any passwords explicitly listed in shared, public README files.

If a password's listed in a file, or it's the folder name, or is another giveaway, it's clearly intended to be publicly shared. Remember that the default directory permission is: NOT shared, and that there are far more private ways to transfer files.

Thought i'd mention that CMU has been doing this from time to time. I know several people who go there/have gone there, and have heard about their unofficial yearly student file check for illegal material. last year, there were quite a few software piracy busts. of course, this begs the question: "Is this a privacy violation?"

It would be like if I hacked slashdot and put up an mp3 ftp site. The RIAA couldn't prosecute Rob or Hemos. They would find an prosecute me. People are so afraid of the RIAA. If I were in their shoes I would only listen to law enforcement officals.

actually. if you hacked slashdot and did illegal things. rob and hemos would be responsable for stopping your. if they didn't do anything, they could be sued for your actions on their part. their computers are their responsability regardless of who hacked into them.

if you are at a school and you are using the schools network you are under their law. the administration can trun your network off whenever they feel like it. its not your network. if you are using their network for illegal activities, it is the administrations responsibility to deal with you.

i am speaking from expirence. geffin (sp?) records put the smack down when i lived in the dorm, and the university disconnected me without a word. i was rather disturbed at the time, but they were within their right. i was pretty lucky no legal action was taken.

they are actually doing the students a favor. if they didnt stop them the riaa could easly have them arrested.

I have a question...is it illegal to simply make MP3s of CDs I OWN and keep and don't distribute?

If not, can I be arrested by hanging my CDs on my front porch if somebody then takes them and copies them? Um, shouldn't it be THEM that get in trouble?

This is going a bit far. Really, I think RIAA and software companies use the "warez"-scare just to inflate their prices ("our product is so expensive because bad people are copying and not paying for it").

Universities are afraid of making anyone mad, due to the "philosophy" of political correctness and the threat of lawsuits. From what I've seen in lawsuits that come from situations like this, the responsible party is almost always ruled to be the end user, studends in this case.

I go to one of the largest public universities in the country, and at any given time, they have at least 50 lawsuits pending against them, probably many more. The threat is real. Don't count on universities to take a stand in this case. They almost never take a stand on anything.

You would think students at CMU would be smarter than this. Rule number 1: no mp3s on the web. OThey'll be taken down quickly. ONLY run ftp sites from YOUR computer. Rule 2: Don't suck more bandwidth than you can get away with. If you're bogging down an entire t3 line, people will start asking questions.

I'm quite sure that there are lots of people on the CMU network that are fully capable of "guessing passords" on school run computers and "removing" files that they saw fit to remove without being discovered. one would like to think that these students would stand up for their friends who are suffering essentially the same fate.

I'm sick of the posts that go something like "CMU was violating their rights" or "the RIAA put them up to it." Get over it, folks.

Network access in your dorm isn't a right---it's a privelidge. At virtually every university with dorm network access, in order to gain access you must sign a "contract" or at least agree to some sort of AUP. Pirating software (music included) is definate breaching of that AUP/contract. You pay the price. Period. It's a shame those kids didn't get reported to the RIAA or law enforcement. The problem is that large private universities want to avoid bad press in any way possible; "there certainly aren't any illegal activities going on at OUR campus... look over THERE!" say school officials.

I digress. There are RULES. The rules are there for a reason. You may disagree with the reason, but you still have to follow them or you pay the price. If you don't like the rules, talk to the people who make them. If you talk in large enough numbers, things change. That's how America works. Last I checked, CMU was in America.

(And don't even get started with the "well, people are going to pirate mp3's anyway, why should the school stop them?" because it's NOT the university's decision whether it's illegal or not; it's the federal government. Universities stop underage drinking on campus, stopping pirating is the same thing.)

I totally support copyright in all of tis forms. It is up to an author whether or not to sell or give away their creation.

Yup, and as soon as the Artists call CMU and tell them to take their creations off the local network I will support that decision.

My problem with the RIAA and it's practices is the abuse of artists by the big 5 recording companies. Making them sign away their lifelong right to their own music and URL simply to get the foot in the door of a building that the RIAA (for simplicity's sake) has bolted shut.

When I have to chose between supporting what I see as immoral market actions with slightly illegal actions (made illegal by the same people who wish to control it), well, I think it's fairly obvious where I stand. This is the same moral market decision that has allowed me to install the same copy of Win95 on *gasp* three machines.

(Most of the streaming MP3's I listen to are either electronica/ambient/tech or from Phish, who have seen in thier wisdom that freely distributing live music is a GREAT way to promote a band)

His point is completely valid. I'm not defending.MP3 pirates, if they were truly running a public site they knew what they were doing was wrong. HOWEVER, I could easily see someone making the read-only password for their own.MP3 directory "MP3" so they could remember it more easily. The fact that a password isn't a good one does not make it legal to break in.

I agree totally and I would suspect that the courts would see it this way too, but I would like to hear from someone with some legal credentials.

So what can these people do about it? Can they sue or prosecute CMU for hacking into their systems? How dose one go about prosecuting these sorts of hacking attempts?

Also, is there anything we can do to encurage the victimised students to prosecute CMU? Or are there web sites to report hacking attempts to the athorities that will at least make life difficult for the people at CMU while they are investigated?

One last question.. Can someone post more information or links regarding the specifics of these hack attempts? Like maybe the names of the hackers, i.e. CMU IT personel who ran the passxword cracking program.

2)...(in short, u said)...CMU guessed passwords, considered public Not entirely accurate according to their email. They considered 'easily guessed' passwords and those that had passwords in readme files, or were freely given upon request, the same as public access. They did find systems that had mp3s and such, but with better passwords. Those they considered were there for legal, 'private' use.

3)...(in short, u said)... CMU violated their code of ethics No... If you read a little further you would have noticed this line under the 'System Administration' section: "On rare occasions, computing staff may access others' files, but only when strictly necessary for the maintenance of a system or in active pursuit of serious security or abuse incidents." They were well within their rights to search the systems, whether password protected or not. The students have no grounds to complain about anything.

They were LESS liable for the behaviour of their students BEFORE they started snooping. Now that they've set a precedent of editorial control over content on their network, they will have to keep monitoring for and removing copyright violations (or potential violations, or libel, or obscenity, or any other forbidden-speech-du-jour) from now on.

This gives me an idea for a great legal system hack that someone who really wanted to ``get them back'' could use. ``Find'' a kiddy porn site hosted at CMU.. and sue them. Nope, sorry, no common carrier status. That would be just wonderful.

This has given me another idea for a way to pirate legally.. by taking advantage of the common carrier status. Use a daemon to run network of moving files (not all MP3s). I would never know what I had on my system as that would change all the time and anyone could put files into the system, so I could claim common carrier status (since I have never erased anyhting) and there would be no logs to prove that any MP3s originatted from my system. I'm not shure how well this would work in practice since people might fill it up, but I suspect it would provide some legal protection.. especially if the files you actually use for yourself (i.e. not on the network because you dont want them randomly deleted) are kept on a partiation encrypted with a plausible deniability system (SegFS) AND there were probable legal uses for the system.

You're nothing but a lame pirate. There's nothing rebellious or cool about what you are doing... there are 12-year old kids who do the same thing. Grow up.

So someone who has a different value system than you is automatically a 'lame pirate' who needs to 'grow up'? It seems you might want to examine the logic behind his position before you flame it. I rarely purchase music, now that I can listen to streaming mp3 sites, and radio stations all over the world I have no need to download MP3s or Pay for music in any fashion. Am I now a 'lame pirate' as well? Considering that most artists make their money from concerts, not from radio play or CD sales it's almost meaningless to the artist whether they sell CDs or not as long as they get a good concert turn out. Korn even posted Mp3s of their own songs on their website and were forced by their record label to remove them. How is this protecting Korns IP? The Recording industry is bloated and corrupt. The artists would do better releasing a couple of songs for free on Mp3 and then doing a tour.

On the reverse side of page 35 (found by reversing the direction of the W2k CD) in Sanscrit we find:

The user agrees that Microsoft Corporation, TM, retains full use and ownership of all intelectual property enableled by Windows,TM, software, TM. Because of this property right overrides all others, we have made sure that nothing on your personal computer can be concealed from us, or anyone else. The term "Privacy", which sounds like piracy, as used by the popular press is a fiction and will not be found anywhere else in this user agreement.

There you have it surrender your creativity and consume! Microsoft and the RIAA, which sued the Girls Scouts of America for singing a copyrighted song around the capmfire, are birds of a feather.

I sure get a kick out of how people get all defensive when the obvious fact that they are stealing is pointed out to them.

First of all, if you listen only to net "radio" stations that have a right and license to broadcast all of the music they use, then great, no problem. However, if your are listening to streaming broadcasts of illegally distributed MP3 files, then you are just as guilty as the person broadcasting (at least for a moral, if not legal perspective).

Some of the other arguments are even more laughable though. The idea that only food, cars, etc can be stolen, is pretty funny. I mean, why should taking food count as stealing. It's way overpriced (just like software and music supposedly are), and people need food a lot more than they need music and software.

Or how 'bout the "I wouldn't buy it anyway, because I don't have the money" argument. This is just as funny. There are lots of things I can't afford, but that doesn't mean I can just take them if I want them. I would love to be able to talk to the people I know in England any time I feel like it, but I can't afford to. Since there's no way I would actually pay for all that phone time, it's OK for me to just steal it, right?

People get it through your head! Just because the reproduction cost of something is basically free does not mean you can justify stealing it.

Spitting in somebody's face is an infringement on their rights (assault).

Whether it is theft is hardly an excercise in rhetoric, unless all things equal all things in your world. Theft != Assualt != murder != copyright infringement. It is that simple.

The problem with the RIAA (and now the film industry) is that they are happy to redefine "copyright infringement" as "theft", even though legally, ethically, and semanticly they are not the same. Indeed, they often even go further, equating "fair use" (legally permitted) and "reverse engineering" (also legally permitted if you are trying to get something to interoperate with something else, such as, say DVD and Linux mentioned in another thread). Their purpose in doing this is to demonize those infringing upon the copyright, which includes just about everybody who ever taped a song off the radio, a television show with their VCR, or made a tape from their CD, if they *gasp* went so far as to share it with another.

Not entirely accurate according to their email. They considered 'easily guessed' passwords and those that had passwords in readme files, or were freely given upon request, the same as public access. They did find systems that had mp3s and such, but with better passwords. Those they considered were there for legal, 'private' use.

Okay, lets say I share a folder with MP3's...

If I make it publically accessible, that's fine for anyone to look at. I'm implictly granting copy permissions.

If I put a password on it, of any kind, be it easy or hard, I'm denying that permission. For a school to come into my system, basically hack it (guessing passwords is the oldest form of hacking), then they are breaking the law. Period. Criminal Trespass. Illegal Search (possibly). Definitly a rights violation.

I say, sue the shit out of the school. Or at least go wacko and shoot a few administrators (mainly a joke:-).

see above, if i can guess it, so can the hackers and the RIAA... but i believe this is tresspassing, and akin to picking a lot and saying 'it was a crappy lock', which is clearly illegal... CMU went too far here...

Just because somebody puts a password of 'mp3' on their share does *not* mean it's classified as private/password-protected. This is a very typical and normal way of setting up MP3 shares on anonymous FTP sites or Windows shares and, in my opinion, is essentially the same as "public access."

Don't think of it as a crappy lock, think of it as a code-word required for entry that's general knowledge. If the students really were protecting their files, they'd have used a real password. Their intent was to set it up for public access, which tips the scales against them. I believe there is a legal definition for 'password protected', and the intent of the owner to restrict access is a requirement. This is not the case here.

like some other schools, this email should have been sent out before the event, so that the kids would not have publicly shared the stuff!

At my previous university, in order to get campus ethernet, you had to agree to terms and conditions that required, in part, compliance with copyright laws. This should have been adequate warning. Just because some of your l33t hax0r mp3 friends are doing it and not getting caught doesn't mean you won't get caught either. You will have a hard time finding any of those students that didn't know what they were doing was illegal.

Not to sound evil here, but the university can do whatever the hell they like with their network connections. They don't *have* to have any proof of wrong-doing to nuke a connection. If they were in fact overzealous in their efforts, they were no doubt trying to send a "message" to the rest of the student body that these things won't be tolerated. The students in question will probably have their connections restored in short order.

If I put a password on it, of any kind, be it easy or hard, I'm denying that permission. For a school to come into my system, basically hack it (guessing passwords is the oldest form of hacking), then they are breaking the law. Period. Criminal Trespass. Illegal Search (possibly). Definitly a rights violation.

Not quite.

Intent to restrict access is a vital point in any 'password-protected' defense against CMU's actions. By using a password of 'mp3' (which most people recognize as the password to use when attempting to access MP3 resources) or by placing the password in a README file, you are making it clear that you have no intention to restrict access to your MP3 files. For that reason, the data can be legally classified as 'public'.

When you share you're not even breaking a law, much less stealing anything. When you copy you may be infringing on a copyright, but even that is not theft. It simply isn't, it doesn't even have the same

sentences as theft. Legally speaking they're different crimes.

This is facile. It depends on who owned what you're sharing in the first place. Feel free to share anything you own. When you share property of mine without asking me or telling me, you are stealing. And I don't care if the law views it differently, I am talking about moral conduct here.

I think there is plenty of room for a philosophical debate about the nature of a duplicable recording -- how can it be stolen if the "owner" still has the thing? You've just made more of it. Is a copy of a thing the thing? This is metaphysics.

As a matter of practice, however, the whole of copyright law is based on the notion that the author of a text (or score, and by extension the more modern texts of film, broadcasts, and recordings of the same) can choose to reserve rights to that work; can choose to grant those rights in whole or in part. Unpublished works are protected. Published works are protected by copyright.

The point of this that the copyright holder is the sole entity with the right to assign those rights. When you copy and distribute, you are usurping the right of the creator because you feel like it. Criminal copyright violation is a felony and carries considerably greater criminal and civil penalties than would theft of a CD from a record store, which would be a petty misdemeanor.

In music these days, most artists are covered by ASCAP (in the US) or BMI (in the UK) minimum basic agreement (or better as negotiated by the artist or his/her agent) which grants certain specific rights to the record label for a certain period of time and certain rights to the artist. Amongst other things, these basic agreements specify terms for radio broadcasting of songs, so that indivdual radio stations don't have to enter into individual contracts with indivdual artists to play individual songs on the radio.

Now, if I publish a song and copyright it, I do so in the expectation that I (or contractually authorized agents) will control distribution of the song. When you copy it and give it to a friend, you steal that right (and in all likelihood, cost me money). If I publish a song and do not copyright it, or I grant specific permission for everyone to use it as they please, then fine. I don't then expect that control.

The courts have established a fairly consistent pattern when it comes to home recording. When a recording is of material legally purchased by you and that recording is intended for personal use, then it constitutes "fair use" and you may do so. Play it to others for profit, give it away to others, or sell copies and you are stealing (criminal copyright infringement).

As for the RIAA, they are the trade association of the recording industry. They act in the interest of their members (the record companies).

This is not a free-speech, free-software issue. This isn't even like the Linux CSS software debacle, which was about a boneheaded encryption scheme that locked out open-source software. But why does the entertainment industry want bonedheaded encryption? Because of a bunch people out there "sharing."

Look, we either live in a civil society or we live in a "bugger the hindmost" every savage for himself, take what you can get, screw your neighbor society.

You expect your university to cover for you when you do illegal things? There's no reason CMU would *not* want to accomodate the RIAA here. If I were running a university, and I was told a bunch of my students were breaking the law, I would naturally try to help locate and bring them to justice. I wouldn't go off and say "OK, we'll look into it," and then snicker quietly as I let my students continue breaking copyright law.

Universities tend to turn a blind eye to this sort of thing, much to the charign of developers and other copyright holders, but I would *certainly* expect a university to follow up and do something about a legitimate and explicit complaint.

The only troubling thing here--and it is quite troubling--is that they conducted inspections "at the order of" the RIAA.

I believe the article explicitely said, "...at the behest of..." This is hardly the same thing. From the article, it appears that the RIAA sent a blanket letter to several dozen universities about the ongoing problems of illegal MP3 distribution. CMU, upon receiving this, decided to stop turning a blind eye to it and start enforcing their school policies against violating copyright laws.

We don't know the contents of those letters, but it surely wasn't anything specific. It probably outlined the RIAA's concern over MP3's and how common it was to find these things distributed from university ethernet hosts. CMU took the next logical step.

If I were a university, I would be more concerned with my image of harboring a bunch of l33t MP3/warez-trading kids in my dorms than being overzealous in my *internal* conflict/legal resolution methods.

hmm.. I was comparing "borrowing" CD's from your friends with sharing copies of the digital signal on the CD's with the same closed group of people.

I personally don't see anything wrong with MP3's until you burn 'em to a CD and sell them as your own. Up to that point you are using a transitory media, much too vulnerable to random corruption to warrant $1 a song pricing (especially using a windoze machine), which is more like listening to rebroadcasts on the radio than any other form of old media.

I could go on, but I like eating lunch, so e-mail me if you want the full treatise.

From the much vaunted Code of Ethics (in addition to the public/private clause floating around):

On rare occasions, computing staff may access others' files, but only when strictly necessary for the maintenance of a system or in active pursuit of serious security or abuse incidents.

This was indeed a rare occasion and, at least to CMU, this was a serious abuse incident. People are quick to point out that CMU broke the rules, but being skeptical, I read the whole privacy statement and found this line. This line right here, which students (I'm assuming) agreed to as part of agreeing to policy, gives them the right to access those files as part of their 'sweep'.

I don't think it's a great thing, what CMU did, but I think people are directing attention away from the real issue which is that people were breaking the law and got caught. Yes, it's rather fascist and if the government did this to me (and who's to say they haven't already), I'd be in an uproar, but this is a private institution that runs a private network. If you break the law on it, damned if they won't bust your ass for it. People need to read all of the terms when they sign up, not just the parts that they think will let them get away with what they want on their own personal machines.

Guess what people. These students abused the system and the system called them on it by their own rules. There are 179 kids right now who aren't in trouble and are laughing at the other 71.

p.s. (because I've seen this a couple of times) Borrowing CDs is not copyright infringement anymore than borrowing a book is. Copying a CD and giving it away (which is very akin to making an MP3 and distributing it) is copyright infringement, just like xeroxing a book and giving it away ain't legal, either.

Get real - you're violating state law in all 50 states. Just because you can find a frigging URL that says otherwise means nothing.

Ooooh, look who didn't do his research and is spouting off without any knowledge whatsoever. The URLs that Soldier listed are the URLs that lead to researched and proven legal precedent for lving in the US without any kind of state/federal registration. He's perfectly within EVERY law in EVERY state because the state laws don't apply to him in these specific cases because he has placed himself under the jurisdiction of a higher law which over rules those (more or less). There is no law which states you must specifically have a US drivers license to drive a car in the US.

Of course I know, I am in the frickin' business. So you are saying that the record companies that shell out thousands of dollars to record, market, distribute the cd, do not deserve any money for their efforts to bring you music that can be played anywhere these days? What about the record companies that are owned by the artists? Do you even know how much work is put into making a cd to market? Do you know how expensive recording studios can run, per hour? SOMEONE has to pay for all that stuff. It's a frickin' business.

Oh? And why do they have to do that? If the entire idea is to draw people to concerts so that the band can make money then the band just has to record a couple of the live concert versions and send them out for free. Voila, song is done. They make money from the concerts. Recording studios are outdated. So is most of the recording industry.

When you are using somebody else's property, you abide by their rules. They made it quite clear that they had the right to search the student's computers. The students agreed to that rule by using the network. No room to complain.

Complaining is like Jello. There's always room for more.:-)

The point is I'm sure you could convince a judge otherwise. And even if not, you could be enough of a pain in the at that at the very least they'd think twice about doing it again.

I'm not saying it's right to pirate music, I'm saying it's wrong for anyone to do illegal things to you. It's a rights violation, damnit. They may have signed away that right, but that doesn't make it any less wrong!

Argh.. I shouldn't get drawn into these arguements.. my head is hurting.. argh.. need pizza...

(for the NT-unaware, and administrative share, is one that is at the root of every drive-letter, by default, on NT, anyone can use NET USE with the administrator password to gain access. Most savvy NT administrators delete these "hidden" shares after installation of the OS - but this subsequently can interfere with some applications)

I wish I had a nickel for every time someone said "Information wants to be free".

So what if they had illegal data on their machinea? What if I'm snorting a huge line of coke right now and the cops break in without a warrant. "Hey look he's got coke, now we don't need a warrant." See?

Its inadmissable, not to mention who would go after a copyright voilation if no money was made out of it and was just one person listening to a few tunes. Even the RIAA has better things to do.

You've already decided that coming in is legal and fine so whatever is found can be used to incriminate the owner. When in reality coming in is NOT fine if you find the door locked and you begin to force yourself in. Regardless if other people have cracked it, the first crack is as illegal and the 100th crack. Regardless of how long it took to crack, its still cracking.

Now if the sign said "Set my house of fire" with a gas can and a lighter next to it would that be fine too? Arson is still illegal regardless of how easy it is or if 'everyone else is doing it.'

Another thing everyone is forgetting is you have no idea what MP3's are legal or illegal without knowing what CD's or Tapes that person owns. MP3 transer also isn't illegal if the recipient keeps it for under 24 hours. Its called fair use.

You know, I wish I had the luxury of determining which laws I thought were breakable because what I was doing wasn't realing "harming" anyone.

Of come on now, spare me you self-righteous sanctimony. People do this constantly be it traffic laws, littering, 'stupid' local laws, trespassing, piracy, drugs, prostitution, curfews, etc.

What the first post of this thread really was about is, yes, the harmlessness of consumer piracy and how the litigation craze has become the net's inseparable partner. It will continue to happen until mama-cass-meteor smacks the earth and for the most part its beneficial. How many musical acts would be unknown if it wasn't for word of mouth and piracy? The grateful dead comes to mind here.

Selling pirated music is much more a crime because it actually DOES take money away from the rightful company. While giving your buddy a copy of something doesn't mean he was going out to buy it, in fact he might think its terrible and save himself 15 bucks.

If you're that naive and have zero-tolerance for software piracy than its just not the industry for you.

But where do you draw the line as to what passwords consitute intent to make it public vs. private?

I'd draw the line where the password ceases to be obvious. I'm not a regular MP3 trader, but I automatically know that 'mp3' is usually the password to use when I come up to an MP3 share. Beyond that, it's a gray area, and one I, as an admin, would not be willing to venture.

"Theft," in common usage is absconding with private property. Copyright is a legal construct that makes the specific embodiement of a set of ideas into private property. Copyright infringement is, therefore, whether "legally" or not, theft.

As it happens, the penalties for theft of a $25 something are far less than the potential penalties for copying a $25 something and giving it to friend. Criminal copyright infringement is a federal crime and a felony. $25 theft from your local Market-o-Mass-Media is a petty misdemeanor.

Believe it or not, there is a conception of right and wrong beyond the narrow confines of legalese. It seems to me right and proper that the creator of a work should have the right to control of the work. That's what copyright is about. The right to copy.

If you create something and wish to cast it into the wind, so be it. That's what the GPL is about: using the instrument of copyright to ensure that a work is and shall remain free.

My whole point (I had one when I started) is that this is not like the Linux DeCSS mess (where they did nothing AFAIK that would constitute a violation of US law; how sad they were in Norway if their laws make what they did illegal). This is not a free-speech issue (unless you are talking about the free-speech rights of the artists). This is not like the arguments against software patents.

There was a recent case where somebody wanted to use Dr. Martin Luther King's famous "I have a dream" speech in a television advertisement. This is something I would have held to be a grotesque debasement of one of the most important examples on rhetoric in this, or any other, century. Fortunately, Dr. King copyrighted all his speeches. The advertisers went to court arguing that it had been news, and therefore a matter of public record. The court upheld the copyright. Copyright good.

You may indeed be doing little or no harm when you copy a song and give it to a friend. If it stays at that level, it is unlikely to draw the attention of any law enforcement or corporate lackeys. But it is the same usurpation of the creator's rights as it would be if you did it on an industrial scale. It is simply a matter of scale, or degree. It is the same act. We convict someone of murder no matter if they kill one person or fifty. When you copy a song and give it to a friend you are acting as those advertisers would have acted if they had gone ahead and used "I have a dream" to sell a car, or some soap, or bottles of beer.

The placing of mp3s on public servers (and we didn't get enough detail on this story, so I am only assuming this is what they did), and then to argue fair use is like me copying your book 100,000 times and leaving the copies lying around and then trying to claim, "Oh, that's fair use -- those are all for me."

First of all, if you listen only to net "radio" stations that have a right and license to broadcast all of the music they use, then great, no problem. However, if your are listening to streaming broadcasts of illegally distributed MP3 files, then you are just as guilty as the person broadcasting (at least for a moral, if not legal perspective).

As far as I know all of the mp3s I listen to are legal as either I own them or the person who is streaming them owns them. Last time I checked letting someone else listen to your music for free wasn't illegal, and if it is I'd better throw away my speakers and get some headphones because my girlfriend has been illegaly listening to my music for months now....

Guessing passwords to enter a password protected area is not illegally breaking into a computer system and stealing private data? Tell that to Randal Schwartz, "just another Perl hacker and convicted felon".

Well, as many people here seem to be forgetting, the 4th ammendment only covers searches conducted by the government or an agent of said government (the police, fbi, fcc, somebody acting on behalf of the police, etc...)

CMU is not, as far as I know, any kind of government agent - therefore though they may be guilty of breaking into computers, it is by no means "illegal search and seizure"

That is correct. Instead of 'illegal search and seizure' it's called 'Breaking and Entering' in most places when a private entity does something like this. Do you think CMU could raid your dorm without a warrant? They may be able to, but they shouldn't be able to.

Some bands (and musicians) aren't touring type bands. They work in the studio. And how many bands have you seen that play as well live as they do in the studio? If the recording studio is out of date, so is the software industry. By my last check, I can record 24-bit digital music. Can your cd player play that? Can mp3 encode it? Granted, the gear isn't nearly the price it used to be, so it has naturally changed. Selling music is a business. Giving it away is, something else..

If the only reason the band sounds good is because their music has been 'edited' in the studio then they don't need to be making music. And if no one can listen to 24-bit digital music then what is the purpose of producing it? Selling music should NOT be a business, anymore than playing Baseball or Basketball should be. These are things people should be doing for fun, not for money. If people want to give the artists money then that's great. But having an 'entertainment industry' is just rediculous.

Look. I'm not saying that because the password was easy to guess it's OK to break in. What I'm saying is that people do not use a password of 'mp3' in an effort to restrict access to the share. Most MP3 shares that I come across that have passwords use the password 'mp3'. They don't do this because they're dumb; they're doing it because they WANT the general public to be able to access the share, while at the same time they can keep out things like automated spiders.

For this reason (intent), these shares are not "private" resources. The owner of the share is either publishing the password in a README or he's using a known, public password specifically so the public can get access.

If 'mp3' or 'guest' doesn't work, it's not obvious in my opinion. Either of these passwords is very common in the world of MP3 trading, and if I were the one doing the searches, I would try 'mp3', then 'guest', then I'd stop.

Think about this for a minute. If all someone has to do to avoid being identified (through legal process) as an MP3 distributor is place a 'mp3' password on their share, that's like giving them free reign to break the law. It's common knowledge that 'mp3' opens MP3 shares. It doesn't make sense to award shares set up in this fashion any more degree of protection or privacy than other public (but non-passworded) shares.

Where did you hear this? Firstly, this has nothing to do with illegal distribution of MP3's. Even if you *were* legally entitled to a 24-hour "evaluation" period, that CERTAINLY would never give you the right to duplicate or re-distribute duplicated copies.

Additional ramifications of this assumption include (but are not limited to):

Video rentals. Why rent when you can buy, watch it, and return it within 24 hours FOR FREE?

Magazine sales. Buy a mag, read it, return it the next day. Consider that $2.99 a refundable deposit!

Fast reader? Why rent from the library when you can get a 24-hour rental from the book store?

Fair use has NOTHING to do with "evaluation" of a copywritten work. Fair use is meant to allow people limited reproduction rights for certain research and educational purposes and to grant certain exemptions for libraries.

But how would they know that the password was mp3? By attempting to guess the password

Yep. Here, 'guess' is synonymous with 'try'.

i.e. breaking into the computer!

No. Since when is it considered 'breaking in' when you 'try' to turn the doorknob?

If you set up some sort of marketing thing and have a web site that's password protected with a password like "money4you", and then proceed to parade that password across your superbowl commercials, in print, magazines, before movies, and every place you can think of with announcements saying, "Come visit our web site, enter the password 'money4you' on the correct page and get $50 off your next purchase!", are each of those people "breaking in" to the web site? They have to try ("guess") the password in order to see if it lets them in.

If you read CMU's computing policy... impose very stringent conditions that were not met here.

CMU's computing policy is nothing more than a POLICY for its *STUDENTS*. This carries absolutely NO legal weight WHATSOEVER except in that it can be used as justification for CMU to use disciplinary action should those policies be violated by a student. CMU cannot be legally held to these posted guidelines, but their students can (since their contracts with CMU regarding things like computing and network resources point specifically to these policies as guidelines the student must abide by).

What people seem to be objecting to is the *legal* ramifications of CMU's efforts. For that reason, you should be looking at the definitions as set forth in the laws themselves, not some stupid student policy set forth by the university. If you think CMU is evil because the university doesn't abide by the same rules they make their students abide by, fine, but that's another topic entirely.